The Drupal Security Team

  • What type of people are on the Drupal Security Team?
    • https://security.drupal.org/team-members
    • Mostly coders, some project managers, core maintainers
  • What does the security team do?
    • We fix issues in drupal
    • Resolve reported security issues in a Security Advisory
    • Provide assistance for contributed module maintainers in resolving security issues
    • Provide documentation on how to write secure code
    • Provide documentation on securing your site
    • Help the infrastructure team to keep the drupal.org infrastructure secure
  • What doesn’t the security team do
    • projects without stable releases
    • Site support
    • Set policy around security with the security working group.
  • Is there a D7 security team and a D8 security team with different people? (What about Drupal 6)
  • How can others get involved?
  • What was the recent bug that was fixed

Questions from Twitter

  • Paulius Pazdrazdys
    How this latest security release is different from others? Do you have any information if this bug done any harm before release?
  • aboros
    The recent bug was über critical, still only 20/25. What would be a 25/25 bug?
  • aboros
    Do you notify any high value targets before SA is sent out? Is the list of those public? Can one be part of this privileged group?
  • Carie Fisher
    When the latest bug was found? is there a private drupal security group where this was discussed? could we have found out sooner?
  • David Hernandez
    What is the average time from discovery to announcement?
  • Damien McKenna
    @ModsUnraveled Are there existing stats on how long it takes from initial reporting, to maintainer response, to first patch & fix?
  • Heine Deelstra
    How was SA-CORE-005 (in hindsight) able to be public for so long in the public queue?
  • Mark Conroy
    I think the #drupal security team are great. Working extremely hard. (I know, that wasn't a question)
  • aboros
    Are there plans for some sort of bounty program run by DA maybe?
  • David Hernandez
    What kind of work does the security team do besides review code? What is the administrative overhead?